US10360379B2ActiveUtilityA1

Method and apparatus for detecting exploits

40
Assignee: F SECURE CORPPriority: Dec 21, 2015Filed: Dec 16, 2016Granted: Jul 23, 2019
Est. expiryDec 21, 2035(~9.5 yrs left)· nominal 20-yr term from priority
Inventors:Daavid Hentunen
H04L 63/1491G06F 21/552G06F 21/563H04L 63/1433H04L 63/1425G06F 21/566H04L 63/1408
40
PatentIndex Score
0
Cited by
17
References
21
Claims

Abstract

Methods and apparatus are disclosed for detecting if a source of initial content is serving exploits to a target device exposed to initial content. The method includes selecting at least two target devices and dividing the selected target devices into at least two groups, and causing the at least two groups to appear towards the initial content as having different software profiles towards the initial content. Information is obtained regarding at least one of connections and content transmitted/received by the at least two groups as a result of exposure to the initial content. The obtained information between the at least two groups is compared. If the comparison indicates that target devices in one of the at least two groups transmit/receive at least one of additional connections and additional content due to being exposed to the initial content, deciding that a source of the initial content serves exploits.

Claims

exact text as granted — not AI-modified
The invention claimed is: 
     
       1. A method for detecting if a source of initial content is serving exploits to a target device being exposed to said initial content, said method comprising:
 selecting at least two target devices; 
 dividing the selected target devices into at least two groups of target devices; 
 causing software profiles of target devices in at least one of said groups to appear different from software profiles of target devices in any other group by controlling changing of a version number indicating version of software used by all target devices in at least one of the groups in interaction of target devices in said group in relation to exposure to said initial content without changing the software version used by said target devices; 
 obtaining information about at least one of connections and content transmitted and/or received by the at least two groups as a result of being exposed to similar initial content; 
 comparing said obtained information between the at least two groups; 
 if the comparison indicates that target devices in one of the at least two groups transmit and/or receive at least one of additional connections and additional content as the result of being exposed to similar initial content, deciding that a source of said initial content serves exploits; and 
 if the comparison indicates that target devices in multiple of the at least two groups transmit and/or receive at least one of additional connections and additional content as the result of being exposed to similar initial content, deciding that whether a source of said initial content serves exploits is inconclusive. 
 
     
     
       2. The method according to  claim 1 , wherein said method further comprises:
 prior to selecting said at least two target devices, receiving software profiles of said at least two target devices from exploit detection clients of said at least two target devices; and 
 selecting the target devices based on said software profiles received. 
 
     
     
       3. The method according to  claim 2 , wherein said method further comprises:
 requesting software profiles from at least two target devices. 
 
     
     
       4. The method according to  claim 1 , wherein said version number of a software is changed by changing any one of:
 a version number provided in a function call; 
 a version number returned over an API of the software in response to a request; or 
 a version number observed in a network communication. 
 
     
     
       5. The method according to  claim 1 , the method further comprising:
 monitoring at least one of connections and content transmitted and/or received by the two groups of target devices as a result of being exposed to said initial content in order to obtain said information about said at least one of connections and content. 
 
     
     
       6. The method according to  claim 1 , further comprising:
 providing instructions to exploit detection clients of target devices in at least a first one of the at least two groups for changing the version number. 
 
     
     
       7. The method according to  claim 1 , further comprising:
 providing instructions to exploit detection clients of the target devices for monitoring at least one of connections and content received and/or transmitted by said target devices as a result of exposure to initial content in order to obtain said information about said at least one of connections and content; and 
 requesting said exploit detection clients to send information about said at least one of connections and content monitored by said exploit detection clients. 
 
     
     
       8. The method according to  claim 1 , wherein said initial content is any one of:
 a website; 
 content accessed on a third party web service; 
 an application accessed on a third party web service; 
 an attachment in a message received by a target device; 
 a file intended to be accessed with a software; 
 a contact received from an IP address; and 
 bytes received from an IP address. 
 
     
     
       9. An apparatus for detecting if a source of initial content is serving exploits to a target device being exposed to said initial content, said apparatus comprising:
 a processor; 
 storage media accessible by the processor, said storage media including an exploit detector configured to:
 select at least two target devices; 
 divide the selected target devices into at least two groups of target devices; 
 cause software profiles of target devices in at least one of said groups to appear different from software profiles of target devices in any other group by controlling changing of a version number indicating version of software used by all target devices in at least one of the groups in interaction of target devices in said group in relation to exposure to said initial content without changing the software version used by said target devices; 
 obtain information about at least one of connections and content transmitted and/or received by the at least two groups as a result of being exposed to similar initial content; 
 compare said obtained information between the at least two groups; 
 if the comparison indicates that target devices in one of the at least two groups transmit and/or receive at least one of additional connections and additional content as the result of being exposed to similar initial content, decide that a source of said initial content serves exploits; and 
 
 if the comparison indicates that target devices in multiple of the at least two groups transmit and/or receive at least one of additional connections and additional content as the result of being exposed to similar initial content, deciding that whether a source of said initial content serves exploits is inconclusive. 
 
     
     
       10. The apparatus according to  claim 9 , wherein said exploit detector is further configured to:
 receive software profiles of at least two target devices from exploit detection clients of said at least two target devices prior to selecting said at least two target devices; and 
 select the target devices based on said software profiles received. 
 
     
     
       11. The apparatus according to  claim 10 , wherein said exploit detector is further configured to:
 request software profiles from at least two target devices. 
 
     
     
       12. The apparatus according to  claim 9 , wherein said version number of a software is changed by changing any one of:
 a version number provided in a function call; 
 a version number returned over an API of the software in response to a request; or 
 a version number observed in a network communication. 
 
     
     
       13. The apparatus according to  claim 9 , wherein the exploit detector resides on a gateway apparatus serving said selected target devices, and said exploit detector is further configured to:
 monitor at least one of connections and content transmitted and/or received by the two groups of target devices as a result of being exposed to said initial content in order to obtain said information about said at least one of connections and content. 
 
     
     
       14. A method for detecting if a source of initial content is serving exploits to a target device exposed to said initial content, said method comprising:
 monitoring at least one of connections and content transmitted and/or received as the result of exposure to said initial content in order to obtain said information about said at least one of connections and content; 
 sending information about said monitored at least one of connections and content; 
 receiving instructions to change a version number indicating version of a software used in interaction in relation to exposure to said initial content without changing the software version used; and 
 changing said version number. 
 
     
     
       15. The method according to  claim 14 , said method further comprising:
 receiving a request to monitor said at least one of connections and content. 
 
     
     
       16. The method according to  claim 14 , wherein said method further comprises:
 receiving a request to send a software profile; 
 sending the software profile in response to receiving said request. 
 
     
     
       17. An apparatus for collecting information for detecting if a source of initial content is serving exploits to a target device exposed to said initial content, wherein said apparatus is configured to:
 monitor at least one of connections and content transmitted and/or received as the result of exposure to said initial content in order to obtain said information about said at least one of connections and content; 
 send information about said monitored at least one of connections and content; 
 receive instructions to change a version number indicating version of a software used in interaction in relation to exposure to said initial content without changing the software version used; and 
 change said version number. 
 
     
     
       18. The apparatus according to  claim 17 , further configured to:
 receive a request to monitor said at least one of connections and content. 
 
     
     
       19. The apparatus according to  claim 17 , further configured to:
 receive a request to send a software profile; 
 send the software profile in response to receiving said request. 
 
     
     
       20. A non-transitory computer storage medium having stored thereon a computer program code for implementing a method for detecting if a source of initial content is serving exploits to a target device being exposed to said initial content, the method comprising:
 selecting at least two target devices; 
 dividing the selected target devices into at least two groups of target devices; 
 causing software profiles of target devices in at least one of said groups to appear different from software profiles of target devices in any other group by controlling changing of a version number indicating version of software used by all target devices in at least one of the groups in interaction of target devices in said group in relation to exposure to said initial content without changing the software version used by said target devices; 
 obtaining information about at least one of connections and content transmitted and/or received by the at least two groups as a result of being exposed to similar initial content; 
 comparing said obtained information between the at least two groups; 
 if the comparison indicates that target devices in one of the at least two groups transmit and/or receive at least one of additional connections and additional content as the result of being exposed to similar initial content, deciding that a source of said initial content serves exploits; and 
 if the comparison indicates that target devices in multiple of the at least two groups transmit and/or receive at least one of additional connections and additional content as the result of being exposed to similar initial content, deciding that whether a source of said initial content serves exploits is inconclusive. 
 
     
     
       21. A non-transitory computer storage medium having stored thereon a computer program code for implementing a method for detecting if a source of initial content is serving exploits to a target device exposed to said initial content, the method comprising:
 monitoring at least one of connections and content transmitted and/or received as the result of exposure to said initial content in order to obtain said information about said at least one of connections and content; 
 sending information about said monitored at least one of connections and content; 
 receiving instructions to change a version number indicating version of a software used in interaction in relation to exposure to said initial content without changing the software version used; and 
 changing said version number.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.